The number of security breaches that compromise personal data continues to increase significantly year after year in Catalonia. The Catalan Data Protection Authority (APDCAT) has received and processed 183 security breach notifications in 2023, which represents an increase of 22% compared to 2022. It is attributed to the increase in cyber security incidents that affect organizations due to the growth of this type of attacks at a global level and also the progressive consolidation of the figure of the data protection officer, who ensures compliance with the norm in organizations and report this type of incident.
The reported breaches have affected almost 1.5 million people, a figure that could be much higher considering that in 21 cases it has not been possible to specify the number. This represents an 82% increase from 2022, which is explained by the higher number of reported breaches and also because one of the cyberattacks reported in 2023 affected the health data of more than 800,000 people.
31% due to cyber attacks
In 2023, the malicious external act is the first cause of reported incidents, representing 52% of the total. Within this category, cyberattacks account for 31% of the total and represent a third of all breaches reported. For its part, the theft of equipment and documentation accounts for the remaining 21% of malicious internal acts. Human error remains in second place, with a growth of four percentage points, and in third place is the malicious internal act.
Unintentional improper publication of data on the internet, such as on transparency portals or the controller's electronic dashboard, was responsible for 6% of unintentional data disclosures. It also highlights the increase in security incidents that originate from the development of technological solutions that have not taken privacy into account in the design, which has allowed unauthorized people to access data.
With respect to 2022, the impact on the group of patients decreases substantially (from 24% to 19%), in correspondence with the decrease in notifications that affect the health environment; it also falls in the group of particularly vulnerable people, referring to people served by social services or applicants for resources in this environment, which goes from 11% to 9%. The reduction in these groups reflects the decrease in violations affecting data of special categories. Conversely, the percentage of those affecting minors is growing (from 8% to 10%), as are incidents related to education.
Data confidentiality, the most affected
In 2023, the impact on confidentiality has increased compared to previous years, which had remained constant at around 80%, which is partly explained by the higher number of reported breaches. It may also have contributed to the fact that a significant number of attacks with kidnapping software (ransomware) suffered during the year 2023, apart from affecting the availability of data (due to temporary or permanent loss of access to encrypted data), also affect their confidentiality, given that they suffer from data exfiltration. Data security breaches can simultaneously affect confidentiality, availability and integrity, as is the case with phishing attacks.
Regarding the typology of data, the majority of breaches affect contact and identification data, as has been common since 2018. Regarding special categories of data, it should be noted that, after the remarkable growth of 2022 compared to 2021 (from 24% to 43%), this year the trend has reversed, as a result of the decrease in incidents affecting the health environment, and the percentages have returned to the decreasing values that had previously followed this data.
In all these cases, the Authority has analyzed whether measures have been taken to resolve or contain the data security incident, limit the risks for the affected persons and avoid, as far as possible, that produce again
The Catalan Data Protection Authority (APDCAT) has received and processed 183 notifications of personal data security breaches in 2023, which have affected nearly 1.5 million people, 82% more than the previous year